This is an archive of the discontinued LLVM Phabricator instance.

Differential D155338

[HWASAN][LSAN] Fix false positive memory leak reports on X86_64
ClosedPublic

Authored by kstoimenov on Jul 14 2023, 1:54 PM.

Details

Reviewers
vitalybuka
Commits
rG0365ccd2a1b3: [HWASAN][LSAN] Fix false positive memory leak reports on X86_64
Summary

Before this patch when running HWASAN on x86_64 with memory tagging support we got a bunch of false memory leak reports. The reason for that is that the heuristic used to detect if an 8 bytes could be a user pointer was not valid when memory tagging is used as the top byte could contain non-zero information.

Diff Detail

Event Timeline

kstoimenov created this revision.Jul 14 2023, 1:54 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 14 2023, 1:54 PM
Herald added a subscriber: Enna1. · View Herald Transcript
kstoimenov requested review of this revision.Jul 14 2023, 1:54 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 14 2023, 1:54 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B245487: Diff 540557.Jul 14 2023, 2:19 PM
vitalybuka added a subscriber: vitalybuka.Jul 14 2023, 2:21 PM
vitalybuka added inline comments.
compiler-rt/lib/lsan/lsan_common.cpp
276

we should query this from kernel, like in CanUseTaggingAbi

kstoimenov added a reviewer: vitalybuka.Jul 14 2023, 2:26 PM
vitalybuka added inline comments.Jul 14 2023, 2:28 PM
compiler-rt/lib/lsan/lsan_common.cpp
275–277

I am confused.
This one masking out 55:48, not the top byte?

276

Maybe it's fine keep it simple and handle the worst case https://lwn.net/Articles/902094/

vitalybuka added inline comments.Jul 17 2023, 11:48 AM
compiler-rt/lib/lsan/lsan_common.cpp
275–277

Never mind, the point to distinguish user space, so we check top bits AFTER top byte.

276

I measured "return true" and on average it's 1.5% regressions.

So it's measureable, current 17 bit vs 8 bit, I can't measure a difference, but still think it's safe to keep as much as possible bits, 11 should work for us.

Please drop TODO that we will need to refactore this code for LAM48, or 5 level page tables.

kstoimenov updated this revision to Diff 541251.Jul 17 2023, 3:20 PM

Added a test.

kstoimenov updated this revision to Diff 541253.Jul 17 2023, 3:23 PM

Updated comment.

kstoimenov updated this revision to Diff 541254.Jul 17 2023, 3:23 PM

Removed include.

vitalybuka added inline comments.Jul 17 2023, 3:28 PM
compiler-rt/lib/lsan/lsan_common.cpp
276

not done?

compiler-rt/test/lsan/TestCases/user_pointer.cpp
9–17 ↗(On Diff #541254)

Maybe something more stronger

Harbormaster completed remote builds in B246015: Diff 541254.Jul 17 2023, 4:30 PM
kstoimenov updated this revision to Diff 541283.Jul 17 2023, 5:23 PM

Addressed comments.

kstoimenov marked 2 inline comments as done.Jul 17 2023, 5:23 PM
kstoimenov added inline comments.
compiler-rt/test/lsan/TestCases/user_pointer.cpp
9–17 ↗(On Diff #541254)

This code actually generates memory leaks because the allocated memory is not referenced by any pointer. I had a version where there are 2 arrays: one with the pointer and the other one with & ' p & (255ULL << 48)', but I am not sure how with would help. Probably the best is just to leave with one

Harbormaster completed remote builds in B246038: Diff 541283.Jul 17 2023, 5:41 PM
vitalybuka accepted this revision.Jul 18 2023, 11:03 AM
vitalybuka added inline comments.
compiler-rt/test/lsan/TestCases/user_pointer.cpp
14 ↗(On Diff #541283)

I see. So if we set masked bits, it will still fail other LSAN checks

so the test as is is not very useful, but not easy way change that.

This revision is now accepted and ready to land.Jul 18 2023, 11:03 AM
kstoimenov retitled this revision from [HWASAN][LSAN] Fix false positive memeory leak reports on X86 to [HWASAN][LSAN] Fix false positive memory leak reports on X86.Jul 18 2023, 11:24 AM
kstoimenov retitled this revision from [HWASAN][LSAN] Fix false positive memory leak reports on X86 to [HWASAN][LSAN] Fix false positive memory leak reports on X86_64.Jul 18 2023, 11:28 AM
kstoimenov edited the summary of this revision. (Show Details)
Herald added a subscriber: pengfei. · View Herald TranscriptJul 18 2023, 11:28 AM
kstoimenov added inline comments.Jul 18 2023, 11:30 AM
compiler-rt/test/lsan/TestCases/user_pointer.cpp
14 ↗(On Diff #541283)

I will catch false positives. This test failed with HWASAN on x86 without my fix. Granted a bunch of other tests would have also failed, but it is good to have an explicit one.

Closed by commit rG0365ccd2a1b3: [HWASAN][LSAN] Fix false positive memory leak reports on X86_64 (authored by kstoimenov). · Explain WhyJul 18 2023, 12:04 PM
This revision was automatically updated to reflect the committed changes.
kstoimenov added a commit: rG0365ccd2a1b3: [HWASAN][LSAN] Fix false positive memory leak reports on X86_64.
kstoimenov edited the summary of this revision. (Show Details)Jul 18 2023, 2:16 PM

Revision Contents

PathSize
compiler-rt/
lib/
lsan/
18 lines

Diff 540557

compiler-rt/lib/lsan/lsan_common.cpp

Show First 20 LinesShow All 257 Lines▼ Show 20 Lines
}; };
static inline bool MaybeUserPointer(uptr p) { static inline bool MaybeUserPointer(uptr p) {
// Since our heap is located in mmap-ed memory, we can assume a sensible lower // Since our heap is located in mmap-ed memory, we can assume a sensible lower
// bound on heap addresses. // bound on heap addresses.
const uptr kMinAddress = 4 * 4096; const uptr kMinAddress = 4 * 4096;
if (p < kMinAddress) if (p < kMinAddress)
return false; return false;
# if defined(__x86_64__) # if defined(__x86_64__) || defined(__aarch64__)
// TODO: add logic similar to ARM when Intel LAM is available. // This logic strips down the top byte and the lower 48 bits from the 64 bit
// Accept only canonical form user-space addresses. // value and checks if the remaining 8 bits are 0. The assumption is that we
return ((p >> 47) == 0); // have 48 bit VMA and that the top byte can be used to store additional
# elif defined(__mips64) // information on both AArch64 and X86_64. Even though on X86_64 we might use
return ((p >> 40) == 0); // less than 8 bits from the top byte we want to error on the side of
# elif defined(__aarch64__) // returning true rather than creating false positive memory leak report.
// TBI (Top Byte Ignore) feature of AArch64: bits [63:56] are ignored in
// address translation and can be used to store a tag.
constexpr uptr kPointerMask = 255ULL << 48; constexpr uptr kPointerMask = 255ULL << 48;
// Accept up to 48 bit VMA. // Accept up to 48 bit VMA.
return ((p & kPointerMask) == 0); return ((p & kPointerMask) == 0);
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

I am confused.
This one masking out 55:48, not the top byte?

vitalybuka: I am confused. This one masking out 55:48, not the top byte?
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Never mind, the point to distinguish user space, so we check top bits AFTER top byte.

vitalybuka: Never mind, the point to distinguish user space, so we check top bits AFTER top byte.
# elif defined(__mips64)
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

we should query this from kernel, like in CanUseTaggingAbi

vitalybuka: we should query this from kernel, like in CanUseTaggingAbi
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Maybe it's fine keep it simple and handle the worst case https://lwn.net/Articles/902094/

vitalybuka: Maybe it's fine keep it simple and handle the worst case https://lwn.net/Articles/902094/
vitalybukaUnsubmitted
Done
ReplyInline Actions

I measured "return true" and on average it's 1.5% regressions.

So it's measureable, current 17 bit vs 8 bit, I can't measure a difference, but still think it's safe to keep as much as possible bits, 11 should work for us.

Please drop TODO that we will need to refactore this code for LAM48, or 5 level page tables.

vitalybuka: I measured "return true" and on average it's 1.5% regressions. So it's measureable, current 17…
vitalybukaUnsubmitted
Done
ReplyInline Actions

not done?

vitalybuka: not done?
return ((p >> 40) == 0);
# elif defined(__loongarch_lp64) # elif defined(__loongarch_lp64)
// Allow 47-bit user-space VMA at current. // Allow 47-bit user-space VMA at current.
return ((p >> 47) == 0); return ((p >> 47) == 0);
# else # else
return true; return true;
# endif # endif
} }
▲ Show 20 LinesShow All 817 LinesShow Last 20 Lines